Re: client-side signature checking of Debian archives

To: debian-devel@lists.debian.org
Subject: Re: client-side signature checking of Debian archives
From: Russ Allbery <rra@debian.org>
Date: Sun, 23 Oct 2016 19:20:35 -0700
Message-id: <[🔎] 87shrmmqrw.fsf@hope.eyrie.org>
In-reply-to: <[🔎] CAKTje6HQMsDhSh6MGFK8QxCnBf66pkfSs7UanwaSXZCQCY3kbQ@mail.gmail.com> (Paul Wise's message of "Mon, 24 Oct 2016 09:46:37 +0800")
References: <[🔎] CAPgP4gxcptXTNcEFb5Jf+SkAYPWSuXwRVAoiqmABG_+gDCdGYw@mail.gmail.com> <[🔎] 580CC7E3.2030301@debian.org> <[🔎] CAPgP4gwkkfhsfUMzGqT6AWqFnL7u2dazBvbj1ZPTpjQy0WTQeA@mail.gmail.com> <[🔎] 580CED6C.8070206@debian.org> <[🔎] 87lgxf3qo4.fsf_-_@violet.siamics.net> <[🔎] CAPgP4gzhY0ui0vA2tfZ8kLH2VuXrFPUEP1TZF2GLckaYAoN2TQ@mail.gmail.com> <[🔎] CAKTje6HQMsDhSh6MGFK8QxCnBf66pkfSs7UanwaSXZCQCY3kbQ@mail.gmail.com>

Paul Wise <pabs@debian.org> writes:
> On Mon, Oct 24, 2016 at 7:21 AM, Kristian Erik Hermansen wrote:

>> The point is to improve privacy.

> Better privacy than https can be had using Tor:

> https://onion.debian.org/

Yeah, but this is *way* harder than just using TLS.  You get much of the
benefit by using TLS, and Tor comes with a variety of mildly problematic
side effects (speed issues, rather more complicated to set up and keep
going for the average person, the fact that sadly Tor is also pretty
widely used for malicious activity so you have to be a bit cautious in
*how* you use it, etc.).  By comparison, the work for TLS is all on the
project's part, and then the end user just gets the benefit for nearly
free.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

Follow-Ups:
- Re: client-side signature checking of Debian archives
  - From: David Kalnischkies <david@kalnischkies.de>

References:
- Re: When should we https our mirrors?
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
  - From: "Eugene V. Lyubimkin" <jackyf@debian.org>
- Re: client-side signature checking of Debian archives
  - From: Ivan Shmakov <ivan@siamics.net>
- Re: client-side signature checking of Debian archives
  - From: Kristian Erik Hermansen <kristian.hermansen@gmail.com>
- Re: client-side signature checking of Debian archives
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: client-side signature checking of Debian archives
Next by Date: Re: client-side signature checking of Debian archives (Re: When should we https our mirrors?)
Previous by thread: Re: client-side signature checking of Debian archives
Next by thread: Re: client-side signature checking of Debian archives
Index(es):
- Date
- Thread